CVE-2025-13342 | THREATINT

Description

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler. This makes it possible for unauthenticated attackers to modify critical WordPress options such as users_can_register, default_role, and admin_email via submitting crafted form data to public frontend forms.

PUBLISHED Reserved 2025-11-17 | Published 2025-12-03 | Updated 2025-12-03 | Assigner Wordfence

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-862 Missing Authorization

Product status

Default status

unaffected

* (semver)

affected

Timeline

2025-11-07:	Discovered
2025-11-19:	Vendor Notified
2025-12-03:	Disclosed

Credits

JEONG YU CHAN finder

References

www.wordfence.com/...-3061-429b-b218-83805287e4f3?source=cve

plugins.trac.wordpress.org/...0432/acf-frontend-form-element

cve.org (CVE-2025-13342)

nvd.nist.gov (CVE-2025-13342)